Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Since Skype is moving to fully centralized service that can be even more easily wiretapped by Governments around the world (not just US), I'm very excited about the "revolutionary" (literally) capabilities of this protocol, as people will be able to speak 1-on-1 without interference, if the communication is also encrypted. Does being encrypted or not depend on that specific WebRTC client, or does it come encrypted by default like SPDY?


Don't make the mistake of thinking that because the communication channel is "encrypted", it is secure. SSL can already be compromised (so much for trusting encrypted transport) and the WebRTC client code could be compromised (always a problem).


Can you please provide links on how SSL can be compromised?


It's not SSL per se, but the Certification Authority system that is weak. If you get one of the root CA certs, you can make any SSL cert a valid SSL cert for any domain name.


It's correct that if root CA is compromised you can make fakes.

To protect against this attack browsers should warn when certificate changes, there even is a long standing bug for firefox in mozilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=471798


The fact that you can bungle WebRTC or SSL/TLS implementation doesn't make it useless for transport security. But of course security building blocks never guarantee properties of the entire system alone. Just like using AES doesn't make or break your security.


Encryption is mandatory. Currently, the implementation uses SRTP, but the proposal is eventually to use SCTP over DTLS over UDP. [http://tools.ietf.org/html/draft-ietf-rtcweb-data-channel-00...]




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: